OpenSSH

editor's review

download

specifications

changelog

OpenSSH is a freely distributed and open source software project, a library and command-line program that runs in the background of your GNU/Linux operating system and protects your entire network from intruders and attackers. It is the open source version of the SSH (Secure Shell) specification, specifically designed for

Features at a glance

OpenSSH is an open source project distributed under a free license. It offers strong authentication based on the Public Key, Kerberos Authentication and One-Time Password standards, strong encryption based on the AES, Blowfish, Arcfour and 3DES algorithms, X11 forwarding supports by encrypting the entire X Window System traffic, as well as AFS and Kerberos ticket passing.

Additionally, the software feature port forwarding support by encrypting channels for legacy protocols, data compression support, agent forwarding support by using the Single-Sign-On (SSO) authentication standard and SFTP (Secure FTP) server and client support in either SSH2 or SSH1 protocols.

Another interesting feature is interoperability, which means that the project complies with versions 1.3, 1.5 and 2.0 of the original SSH (Secure Shell) protocol. After installation, OpenSSH will automatically replace the standard FTP, Telnet, RCP and rlogin programs with secure versions of them, such as SFTP, SCP and SSH.

Under the hood, availability and supported OSes

The OpenSSH project is written entirely in the C programming language. It comprised of the main SSH implementation and the SSH daemon, which runs in the background. The software is distributed mainly as a universal sources archive, which will work with any GNU/Linux operating systems on both 32-bit and 64-bit architectures.

Portable OpenSSH

A portable version of the OpenSSH protocol is also available for download on Softpedia, free of charge, called Portable OpenSSH. It is an open source implementation of SSH version 1 and SSH version 2 protocols for Linux, BSD and Solaris operating systems.

ssh(1): when forwarding X11 connections with ForwardX11Trusted=no, connections made after ForwardX11Timeout expired could be permitted and no longer subject to XSECURITY restrictions because of an ineffective timeout check in ssh(1) coupled with "fail open" behaviour in the X11 server when clients attempted connections with expired credentials. This problem was reported by Jann Horn.

ssh-agent(1): fix weakness of agent locking (ssh-add -x) to password guessing by implementing an increasing failure delay, storing a salted hash of the password rather than the password itself and using a timing-safe comparison function for verifying unlock attempts. This problem was reported by Ryan Castellucci.